Monday, December 15, 2014

Here’s the Smoking Gun

Bloomberg
published a very good story
over the weekend about a 2008 oil pipeline blast in Turkey that was definitely
due to a cyber attack[i]. It caused well over $1Bn in losses, as well
as a large spill. My $.02 on this:

This and Stuxnet are the only two well documented successful
cyber attacks on ICS that caused major physical damage (and I imagine the
dollar loss for Stuxnet was much less than for this one, although it did
also set Iran’s uranium enrichment program back a year or so. For a great summary of Stuxnet a couple
years after the fact, see this
article by Ralph Langer).

However, I think this attack should be much more chilling
for North American infrastructure owners (including power), since this was
done by the “bad guys”. As we all
know, Stuxnet was perpetrated by the “good guys”, and was specifically
targeted at the Iranian nuclear program.
Of course, the worm did end up propagating here and elsewhere, and
it was expensive for some companies to clean it off their systems – but it
never actually attacked other targets (and I don’t know of any successful “copycat”
attacks).

We have all read that foreign entities, probably including
nation-states, are doing reconnaissance of critical infrastructure in the
US (including pipelines and of course the power grid). The attackers in Turkey had also done
their reconnaissance of the BTC pipeline and knew that the Windows system
controlling the security cameras had vulnerabilities. They exploited
these vulnerabilities to attack other systems, as well as to disable many
of the security cameras themselves during their attack. What’s there about this scenario that
couldn’t happen in North America?

The fact that this was a cyber/physical attack just
confirms what we’ve heard many times this year – that combining the two
types of attacks allows the greatest amount of damage to occur. Metcalf was a purely physical attack,
and – while it was certainly quite serious – it never came anywhere close
to causing the amount of disruption that a cyber/physical attack could
have. The Metcalf attackers are
frequently pointed to as being very knowledgeable and “professional”, but
they don’t hold a candle to the attackers of the Turkey pipeline, and the destruction
they caused is pocket change compared to what was caused in Turkey.

I thought the conclusion of the story was quite
interesting: The bombs the Russians dropped on another section of this pipeline
during the war with Georgia (which started three days after the cyber
attack) all missed the target. But
the cyber attackers didn’t miss!

The moral of my story: Nobody can say now that there hasn’t
been a successful large-scale cyber attack – by genuinely evil people –
against critical infrastructure.

The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.

[i]
Sean McBride of Critical Intelligence, the subject of a recent post
of mine, pointed out in his excellent blog that he had reported the
incident to his customers in 2009. He
then says “If you don’t want to hear about ICS security events five years
later, subscribe to the Critical Intelligence Core ICS
Intelligence Service.” Touche!